API Tutorial: How to Scan an Application

Veracode APIs

This tutorial provides basic step-by-step information on how to use the Veracode Upload API to automate the scanning of an application using the HTTPie command-line tool. This guide uses standalone HTTP request calls, but you can combine them in an API wrapper to process multiple API calls.

Note: Before you can access and use the APIs, your Veracode user account must have the required permissions.
To configure and submit a scan request:
  1. If your application already exists, omit this step. Create an application profile for the application you want to scan by entering:
    http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/createapp.do" "app_name==<your application name>" "business_criticality==<enter level>
    Where indicated, insert your application name and level of business criticality of the application. Refer to the createapp.do call for more information on these parameters. The returned appinfo.xml file contains the application ID number, which you need when using other calls.
  2. Enter this command to upload the file you want to scan:
    http --auth-type=veracode_hmac POST -f "https://analysiscenter.veracode.com/api/5.0/uploadfile.do" "app_id==<your application ID>" "file@<your path and filename>" "save_as==<new name for your app file>"
    Where indicated, insert your application ID, and filename. Optionally, use the save_as parameter to give your application file a new name on the Veracode Platform.
    Note: For the file parameter, enter the @ symbol first followed by the path and filename.

    Optionally, you can call createbuild.do if you want to name the scan.

  3. Start the prescan of the uploaded file by entering:
    http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/beginprescan.do" "app_id==<your application ID>"
    Where indicated, insert your application ID.
  4. Access the prescan results to know if it succeeded, allowing you to run the full scan. At this point you can add additional files using uploadfile.do, if necessary, but you can only do this if you have not set auto_scan to true as part of the beginprescan.do call. To start the scan, from the command line, enter:
    http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/getprescanresults.do" "app_id==<your application ID>"
    Where indicated, insert your application ID. The returned prescanresults.xml document contains the prescan details. For more information about the prescan results, go to API Prescan Status Information. For more information on build status messages, see API Build Status Information.
  5. If your prescan was successful, start the full scan by entering:
    http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/beginscan.do" "app_id==<your application ID>" -F "scan_all_top_level_modules==true"

    Where indicated, insert your application ID.